How to make Europe the world's safest online environment

Bonn, 11 November 2013

Vice-President of the European Commission responsible for the Digital Agenda

To add your comment to this speech, see the social version of the speech heresentence permalink

1

Our world is entering the digital age. And it is becoming ever more important to keep that digital world safe and secure.sentence permalink

+

Recent headlines show us the sheer scale of hacking and spying, and the significance for our privacy, and for our economy.sentence permalink

+

But let's recall three trends.

First: the online world is coming to benefit every aspect of our lives, bringing innovation, convenience and efficiency.sentence permalink

+

And no wonder. New innovations like the cloud offer a hundred-billion euro boost to Europe.sentence permalink

3

We cannot turn our backs on those benefits. But, with that growing spread, online threats have correspondingly growing consequences. And a lack of trust can only hamper widescale use, and constrain those benefits.sentence permalink

+

Second: risks are mounting. According to Symantec, the total number of attacks increased by 81% in just one year. In ever more forms: from identity theft and phishing — to botnets, Trojans and denial-of-service attacks. And more besides.sentence permalink

1

Third: these risks imply significant costs. Each year, many businesses, if not the majority, face security breaches: even for a smaller business, the cost can be tens of thousands of euros per breach. For a major incident the cost could amount to over a quarter of a trillion dollars. Let's hope that doesn't happen.sentence permalink

+

But let's not get confused between the different issues in play here. Let's understand the situation, recognise which tools we have available, and use the right one for the right job. Let's not confuse privacy with security, or confidentiality with integrity.sentence permalink

+

Data protection is a fundamental right that we must safeguard. People have a right to know and control how their data is used.sentence permalink

1

Not least because the further data is spread, it more vulnerable it becomes.sentence permalink

+

We must protect our citizens, so their data is not misused in that way. Not destroying the digital opportunities they enjoy every day, but protecting proportionately.sentence permalink

+

So data protection is an important part of the picture. But let's be realistic.sentence permalink

+

Spying may be unacceptable. But it's been going on for some time. Maybe it's the world's second oldest profession. And it's not about to stop.sentence permalink

1

You won't prevent it just by making it illegal. Nor just by fining a handful of US corporations.sentence permalink

Recent revelations about the scale of online spying have been astonishing. But let's not just sit there stunned like a rabbit in the headlights. Nor submit to hysteria. Let's protect ourselves.sentence permalink

1

And the fact is, if you want to stop a burglar breaking through your front door, you don’t need a good lawyer, you need a good lock.sentence permalink

1

The answer does not lie in constraining data within national borders. Hiking up the drawbridge and creating isolated national fortresses.sentence permalink

+

With separate systems in each country, slicing our single market into tiny pieces.sentence permalink

+

That wouldn't promote secure European innovations. It would merely throw out the baby with the bathwater.sentence permalink

+

Rather the answer lies in bringing those barriers down. For a unified European market, with economies of scale, where new secure ideas can flourish and find a home. So Europe can become the safest online environment in the world.sentence permalink

+

Our cybersecurity strategy is about ensuring an online world that is open, free, safe and secure. Promoting the EU's core values, and human rights. Online just as we do offline.sentence permalink

And to enhance our international cyberspace policy. We already discuss these issues regularly with major international partners, and are looking into cooperation with yet more. And in multilateral fora, like the Seoul conference on cyberspace. We don't need new legal treaties; and the Budapest Convention is already there to be ratified. But international norms for state behaviour in cyber space could boost both free trade and fundamental rights.sentence permalink

1

And we can continue to help other countries to build their capacity: in areas from technical to judicial, to law enforcement.sentence permalink

If we want Europeans to have confidence in the online world. If we want strong European players able to provide that assurance. If we want European data and European systems subject to European safeguards.sentence permalink

We need an environment where those who manage and use ICT have the incentives to use high-quality security. Public and private.sentence permalink

1

And we need the best technology. Maybe this means that we make it ourselves in Europe, thanks to a vibrant, European market that innovates to create those security solutions. And this is why we are increasing R&D in cybersecurity. Or maybe it requires that we verify that the ICT equipment and applications we buy are not designed with backdoors built in!sentence permalink

Our European Cloud Partnership is about governments joining forces, to stimulate a market and find secure cloud solutions for Europe. Using the power of public procurement, worth one fifth of the cloud market.sentence permalink

1

With common standards so Governments can leap into the cloud, without compromising on security. And indeed that Partnership is meeting once again in just a few days, in Berlin.sentence permalink

We already have rules so telecoms operators stay secure: to ensure they take the right measures and notify any significant incidents.sentence permalink

1

But we need to extend those rules.

Because there is so much critical infrastructure out there – energy, transport, health, banks. Infrastructure that increasingly relies on telecoms networks, but is not run by telecoms operators. Infrastructure that needs to operate continuously, and to stay secure.sentence permalink

1

Attackers can just target the weakest link in the chain, and we need protections across that chain.sentence permalink

1

And it's not right that telecoms operators should have to take all the precautions and shoulder all the burden. When other over-the-top internet companies do not. That isn't fair competition and it is jeopardising our security.sentence permalink

1

So those are the kinds of safeguards we are trying to create through our proposed legislation. The three C's: better capabilities to avoid and respond to cyber attacks. A better culture: more aware, more proactive and more transparent. And more cooperation between EU countries, at strategic and operational levels.sentence permalink

We will also be providing general guidance, so governments and the private sector can adapt, and take the tailored measures that match the specific risks they face, and the arrangements they already have in place.sentence permalink

+

We have created a network and information security "platform" – where 180 public and private organisations get together to identify best practices that can inform our work. Ensuring more consistency for a truly European market. Looking at areas from public procurement, to security labels, to research and development priorities.sentence permalink

1

We are raising awareness through events like European cybersecurity month.sentence permalink

+

And of course we are also investing in research and innovation in security. New ideas to build securer societies and industrial leadership in cybersecurity, trustworthy ICT and privacy. Keeping systems safe and data secure.sentence permalink

+

This is not about heavy-handed measures, and it's not about trying to devise "one size that fits all". It's about a risk-based approach, one where different companies and organisations of different sizes do what is needed, proportionately to the threat they face.sentence permalink

1

Often the solution is relatively simple. Some reckon as many as 85% of successful intrusions could be prevented just by decent "cyber-hygiene" practices.sentence permalink

2

Any reasonable company, of any shape or size, will already manage the risks and threats to their business. Now, as business goes online, we need to make cyber-threats a part of their thinking, too.sentence permalink

+

This is important.

The EU's most senior politicians realise this. Just a few weeks ago, EU leaders, including Chancellor Merkel, formally acknowledged the importance of the digital economy. And they endorsed some bold decisions to get our economy online, and give it the single market boost. For high-quality, pan-European networks and services. Creating the environment where we can get every European digital: within a telecoms single market.sentence permalink

1

They also underlined the essential role of trust in that digital economy, and for completing the European digital single market. They called for Europe to stay at the forefront in taking up the cloud. To promote high standards for secure, high-quality and reliable cloud services. And for timely adoption of our network and information security Directive.sentence permalink

+

So now I hope we can treat these issues with the urgency they deserve. And in particular to adopt the Directive before the European Parliament rises.sentence permalink

+

We are prepared to work with Member States and the Parliament on that issue. And I hope that we can put minor disagreements aside, for the sake of a stronger, more secure Europe.sentence permalink

+

We cannot ignore the mandate leaders have given us. Nor the imperative for a secure, resilient connected continent. We must act, and fast.sentence permalink